php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #73655 Spoofchecker::isSuspicious behavior change due to upstream changes
Submitted: 2016-12-05 15:31 UTC Modified: 2018-05-03 17:09 UTC
From: sjon at hortensius dot net Assigned: ab (profile)
Status: Closed Package: intl (PECL)
PHP Version: 7.1.0 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2016-12-05 15:31 UTC] sjon at hortensius dot net 
Description:
------------
It seems Spoofchecker::isSuspicious is broken; testing an example from the manual all PHP versions work fine; except 7.1.0.

This seems related to an update which was done to the localization which was not present in any of the RCs (insert rant about RCs being real RCs here)

Test script:
---------------
See https://3v4l.org/5HWQT, script was copied from http://php.net/manual/en/spoofchecker.issuspicious.php

<?php
$checker = new Spoofchecker();

var_dump($checker->isSuspicious('google.com'));
var_dump($checker->isSuspicious('Рaypal.com'));

Expected result:
----------------
bool(false)
bool(true)

Actual result:
--------------
bool(false)
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-05 15:51 UTC] sjon at hortensius dot net 
This might also be related to the recently released ICU-58 (http://site.icu-project.org/download/58) with which 7.1 was compiled. I'm sure distros will compile with the same ICU but this might be the reason I didn't find a suspicious commit in php-src itself
 [2016-12-05 16:22 UTC] sjon at hortensius dot net 
I have confirmed php-7.1.0 compiled with ICU 55 works fine. Compiled with ICU 57 also works. Can anyone confirm if this is a bug with ICU itself; or with PHP's usage of ICU?

This is still a problem as distros such as ArchLinux will soon release with ICU-58 and experience this issue
 [2016-12-05 16:22 UTC] me at kelunik dot com 
Works for me with ICU 55, so it seems to be an ICU problem.

$ php -v
PHP 7.1.0 (cli) (built: Dec  5 2016 17:15:16) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies

$ cat bug73655.php 
<?php

$checker = new Spoofchecker();

var_dump($checker->isSuspicious('google.com'));
var_dump($checker->isSuspicious('Рaypal.com'));

$ php bug73655.php 
bool(false)
bool(true)

$ apt-show-versions libicu-dev 
libicu-dev:amd64/xenial 55.1-7 uptodate
libicu-dev:i386 not installed
 [2016-12-05 16:30 UTC] requinix@php.net 
Related To: Bug #73656
 [2016-12-05 16:34 UTC] requinix@php.net
-Summary: Spoofchecker::isSuspicious broken +Summary: Spoofchecker::isSuspicious behavior change to due upstream changes -Status: Open +Status: Verified -Package: I18N and L10N related +Package: intl
 [2016-12-05 16:34 UTC] requinix@php.net 
I don't understand the terminology but it seems this was an intentional change (or at least accepted side effect) with ICU 85.
http://bugs.icu-project.org/trac/ticket/12549

So this is tentatively NAB and in need of documentation changes, but for all I know there may be a way to preserve the old behavior, possibly involving toggle assorted spoofchecking options if the uspoof C API has that.
 [2016-12-05 16:35 UTC] requinix@php.net
-Summary: Spoofchecker::isSuspicious behavior change to due upstream changes +Summary: Spoofchecker::isSuspicious behavior change due to upstream changes
 [2016-12-05 17:12 UTC] cmb@php.net 
Related To: Bug #73656
 [2016-12-05 17:33 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2016-12-05 17:33 UTC] cmb@php.net 
One can get around the removal of WSC and MSC by setting the list of allowed locales manually, see <https://3v4l.org/33qXs>, for instance. So this might be solely a documentation issue.

Stas, as you're listed as ext/intl maintainer, what do you think?
 [2017-10-20 18:16 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f95063647ccebfde5e8e39bc3349e63f19662395
Log: Fixed bug #73655 Spoofchecker::isSuspicious behavior change due to upstream changes
 [2017-10-20 18:16 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2017-10-20 18:32 UTC] ab@php.net
-Status: Closed +Status: Re-Opened -Type: Bug +Type: Documentation Problem
 [2017-10-20 18:32 UTC] ab@php.net 
The behavior change should be fixed here http://git.php.net/?p=php-src.git;a=commitdiff;h=f95063647ccebfde5e8e39bc3349e63f19662395 

ICU > 58 undergone significant BC breaches, more fixes might be necessary. In general, the fact a locale were needed to have right suspicious checks was not new. Now, with the removal of the MSC and WSC, as well as single script and lower case data removals, it becomes unavoidable. I thought about enforcing the empty allowed locales check, but it seems a bit too much ATM. Still, this issue is worth documenting, as there are no good ways to bring ICU to the old behavior. Neither it would make much sense regarding the latest UNICODE security specs. Turning this into a doc issue now, further tests on the subject are appreciated to catch possible misbehaviors with modern ICU.

Thanks.
 [2017-10-24 05:11 UTC] kalle@php.net
-Status: Re-Opened +Status: Assigned
 [2017-10-24 05:12 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: stas +Assigned To:
 [2018-05-03 17:09 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2018-05-03 17:09 UTC] ab@php.net 
Since there are no further comments, closing the ticket.

Thanks.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 31 22:00:01 2025 UTC